Select Page

Smart RF Equivalent

1. INTRODUCTION

Interested in knowing how Bluetooth Low Energy works down to the packet level? Or You want to debug your own BLE device, and spot where you are going wrong? Or you’re making a custom application for your phone that needs to talk to your BLE hardware, but you don’t know how it works? We have the right tool to help you!

The BLE Sniffer is an embedded device used to display and store BLE packets captured via CC2540 BLE sniffer. The Sniffer software parse the packets, decodes and displays them in a convenient way, with options for filtering and displaying only the relevant fields.

 

 

CC2540 USB Dongle along with Tiva board having TM4C123GH6PM microcontroller is used as the hardware platform. The packets received by CC2540 are streamed through the UART interface to the TM4C123GH6PM , which is then analysed in TM4C123GH6PM microcontroller. The processed data can be send through UART to any terminal like Hyperterminal, Minicom, Putty, etc or it can be displayed on a local LCD display (Not done now).

2. POSSIBLE SNIFFING OPTIONS

The main idea of this project is to provide an easy debug environment for custom BLE implementations. Two types of applications are possible for debugging BLE implementations. Feasibility of implementing both approaches were studied before finalizing the second approach.

1. In the first approach, the CC2540 will act as a BLE Central node and try to interrogate with the BLE peripheral, and display the status messages and data received. It also does connection establishment and data transfer.

HostTestrelease project part of sample projects provided by TI [1] along with a custom sniffer application can be used to implement this. In this case, BLE stack and profiles are implemented in CC2540 and, this communicate to the Tiva board via HCI interface over UART.

2. In the second approach, CC2540 will act as a packet sniffer and capture the BLE messages over the air. These messages will be send over uart to Tiva board. The messages will be processed and segregated at Tiva board, and the processed information will be send over uart, and can be viewed in applications like Hyperterminal in PC.

3. CHALLENGES

One of the main challenges in implementing a custom BLE sniffer is that, lower level drivers which can be used to configure the Radio in sniffer/promiscuous mode is not available in public domain. Further source code is not available for any of the available BLE sniffer’s in market(like CC2540, nRF51,etc). Hence, we have to reverse engineer the whole packet format based on BLE Core specification and the available resources regarding Smart RF sniffer application provided by TI. HCI commands can be used to communicate with the BLE module.

Also, data format document is not available for BLE sniffer firmware for UART. For the CC2540 USB dongle to send the data in UART mode, we need to use fw_sniffer_cc2540_uart.hex [2] this can be flashed to the dongle using CC debugger.

4. BLE SNIFFER PACKET DATA FORMAT

Data format can be segregated in to 3 types.

1. Advertisement Packet

2. Data Packet

3. Idle Packet

4.1. Advertisement Packet

Advertisement Packet: 

 

 

 

 

 

PDU Header:

 

 

 

 

Advertisement Packet Types:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Refer BLE Core Specification document Section. 6.B.2.3 for further details.

 

4.2. Data Packet

Data Packet:

 

 

 

 

 

Data Packet Header:

 

 

 

 

Data Packet Types:

 

 

 

 

 

 

Refer BLE Core Specification document Section. 6.B.2.4 for further details.

4.3. Idle packet

When there is no communication, CC2540 will send an idle pattern with following format.

Packet 1: 0x01 0x01 0x00 0x00

Packet 2: 0x01 0x01 0x00 0x40

Packet 3: 0x01 0x01 0x00 0x80

Packet 4: 0x01 0x01 0x00 0xC0

This pattern will be repeated in round robin scheme during idle time.

 

5. APPLICATION

In order to receive the BLE packets through UART, “fw_sniffer_cc2540_uart.hex” needs to be flashed to the CC2540 USB dongle. The custom application is built in C using CC Studio for Tiva board. Tiva board will receive the BLE data over UART and will be parsed to different fields as per Bluetooth Core specification. Also, specific information like devices available, RSSI , etc will be compiled and displayed for the user.

The options available in the current implementation are:

  Packet presentation (Continuos capture mode)
       Show all raw packets
       Show all packets with detailed analysis view
       Show only advertisement packets
       Show only data communication packets
  Show advertising packets of selected type
  Show data communication packets of selected type
  Show Packets with select MAC or Access Address
  Show all Nodes
  Show all Advertisers
  Show all Connections
  Show RSSI of all advertisers
  Show channel usage (packets communicated in each channel)

 

6. FUTURE SCOPE

1. Handheld BLE Sniffer with Display and SD Card interface

Additional to CC2540 dongle, Tiva board can be interfaced to Kentec display and SD card reader. Along with a battery power pack, the whole setup can work as a handheld packet sniffer.

2. BLE Interrogator Cum packet Sniffer

By interfacing one more CC2540 module to act as a BLE Central and Peripheral Node, we can extend the capability of debugging BLE packets. The second CC2540 module can generate BLE advertisement packets or BLE data transfer, where as the other CC2540 module can sniff the packets and process them and provide the user with relevant information.

 

7. REFERENCES

BLE Specifications

BLE_sniffer_guide-TI

Smart RF Packet Sniffer-TI

CC2540 Datasheets and Other documents

 

8. USEFUL SOFTWARES

1. Smart RF Packet Sniffer- TI

2. Smart RF Flash Programmer- TI

3. IAR Embedded Workbench for 8051 v8.20

4. BLE Stack BLE-CC254x-1.4.0

Note: BLE-CC254x-1.4.0 is compatible with IAR Workbench Ver.8.20 only. As there are compatibility issues, please avoid using latest versions.